Cracking Down: Twitter Settles Charges that It Did Not Take Adequate Security Precautions To Protect User Privacy Settings

Posted on June 24, 2010 by Gabriel M. Helmer

Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.  

The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama.  (Under hacker control, President Elect Obama's Twitter account apparently "offered his more than 150,000 followers a chance to win $500 in free gasoline.")  Twitter candidly announced the first security incident in January 2009 and blogged about a second incident in April 2009.

The FTC Complaint (.pdf) lists the following security flaws among Twitter's failings:

  • Twitter allegedly did not have policies that required their administrators to select hard-to-guess passwords and instead, administrators were permitted to use "weak, lowercase, letter-only, common dictionary word[s]" as administrative passwords.
     
  • Twitter employees were allowed to store administrative passwords in plaint text form, so that once hackers broke into their accounts, the hackers had full administrative access to other users' accounts.
     
  • Twitter did not disable administrative accounts after a number of unsuccessful attempts, allowing hackers easily run automated tools to break into the accounts.
     
  • Twitter administrators were not required to change their passwords regularly.
  • Twitter did not limit administrative access to user accounts to those employees that needed such access.
     
  • Twitter did not do enough to restrict administrative access to authorized individuals, including by requiring administrators to log into a separate employee website or restrict administrator access to specific IP addresses.

What may be a key issue for many online businesses developing social networking sites is that, according to the FTC, users' privacy settings may impose an implicit duty on the website operator to take certain security precautions in order to preserve the user's settings. In Twitter's case, the site allowed users to make some "tweets" (short user messages/postings) private and the alleged lack of security allowed hackers to access those private messages.  The FTC Complaint (.pdf) claims that "Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic."  According to the FTC, the lack of security was so severe that Twitter's claim that user's privacy was protected amounted to a deceptive act under the FTC Act. 

In its Agreement (.pdf) with the FTC, Twitter consented to adopt a comprehensive information security program and submit independent security assessments to the FTC every other year for the next 10 years.  In today's blog posting, Twitter indicated that "[e]ven before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."

 

Tags: , , , ,

Incident of the Week: Army Intelligence Analyst In Custody After Claiming that He Leaked Thousands of Classified Documents

Posted on June 11, 2010 by Gabriel M. Helmer

22-year old U.S. Army intelligence analyst Bradley Manning is reportedly in custody in Kuwait after claiming that he sent 260,000 classified documents to the WikiLeaks website. According to WIRED, Manning, who served at Forward Operating Base Hammer near Baghdad in Iraq, made the admission after reaching out to former hacker Adrian Lamo in a series of Internet chats beginning on May 21st.  Manning ominously began the conversation with the following:

(1:41:12 PM) Bradley Manning: hi
(1:44:04 PM) Manning: how are you?
(1:47:01 PM) Manning: im an army intelligence analyst, deployed to eastern baghdad, pending discharge for “adjustment disorder” [. . .]
(1:56:24 PM) Manning: im sure you’re pretty busy…
(1:58:31 PM) Manning: if you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?

[Read more of Manning's discussions with Lamo at WIRED.]
 
Lamo continued Internet discussions with Manning after tipping off the FBI and Army CID of the potential leak.  "I wouldn't have done this if lives weren't in danger," Lamo told reporters at WIRED. "He was in a war zone and basically trying to vacuum up as much classified information as he could, and just throwing it up into the air."
 
The turning point for Manning apparently came when he was ordered to investigate the arrest of Iraqis for the distribution of "anti Iraq" literature by the Iraqi Federal Police.  When Manning discovered that the literature in question was a "benign political critique" of Iraq Prime Minister Al-Maliki, Manning reported the incident to Army superiors who told Manning "to shut up."  Manning apparently then began to leak classified materials in an effort to "do the right thing."  The materials Manning leaked apparently included a video of a 2007 U.S. Army helicopter attack in Baghdad that killed a number of civilians.
 
Tags: , , , , ,

Incident of the Week: Clickjacking Worm Induces Thousands of Facebook Users to "Like" Infected Websites

Posted on June 4, 2010 by Gabriel M. Helmer

This week was an unusually optimistic one for hundreds of thousands of Facebook users who found that their accounts were automatically endorsing numerous oddly entitled websites.  If you have been avoiding Facebook, your closest Facebook user (anyone under the age of 30 is a safe guess) can explain that one way users have to share things with their friends, including websites, musicians, television shows, ideas and other users, is to click the ever-present "Like" button.  Some have begun to call this new exploit "likejacking."

The culprit for this unintentional optimism appears to be a "clickjacking" worm that exploited a vulnerability in web browsers used to access the victim's Facebook account.  While the victim is logged in to Facebook, his or her account will spontaneously "Like" web links with titles such as "LOL This girl gets OWNED after POLICE OFFICER reads her STATUS MESSAGE."  As a result, a user's Facebook friends are encouraged to visit the sites.  Clicking the link will take users to a website that states "Click here to continue" and clicking the message apparently causes subsequent users' accounts to begin the same automatic referrals to their friends. 

If you have begun to notice that you are "Like"-ing websites more than usual, Sophos makes the following recommendation to users who have been infected:

If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your "Likes and interests" section.

 

Tags: , , , ,